CVE-2022-49606 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
RDMA/irdma: Fix sleep from invalid context BUG
Taking the qos_mutex to process RoCEv2 QP's on netdev events causes a kernel splat.
Fix this by removing the handling for RoCEv2 in irdma_cm_teardown_connections that uses the mutex. This handling is only needed for iWARP to avoid having connections established while the link is down or having connections remain functional after the IP address is removed.
BUG: sleeping function called from invalid context at kernel/locking/mutex. Call Trace: kernel: dump_stack+0x66/0x90 kernel: ___might_sleep.cold.92+0x8d/0x9a kernel: mutex_lock+0x1c/0x40 kernel: irdma_cm_teardown_connections+0x28e/0x4d0 [irdma]
kernel: ? check_preempt_curr+0x7a/0x90 kernel: ? select_idle_sibling+0x22/0x3c0 kernel: ? select_task_rq_fair+0x94c/0xc90 kernel: ? irdma_exec_cqp_cmd+0xc27/0x17c0 [irdma]
kernel: ? __wake_up_common+0x7a/0x190 kernel: irdma_if_notify+0x3cc/0x450 [irdma]
kernel: ? sched_clock_cpu+0xc/0xb0 kernel: irdma_inet6addr_event+0xc6/0x150 [irdma]
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/23/2025
The vulnerability CVE-2022-49606 represents a critical kernel panic condition within the Linux RDMA implementation, specifically affecting the irdma driver responsible for InfiniBand and RoCEv2 network interface operations. This issue stems from an improper synchronization mechanism that leads to a kernel splat when handling network device events. The flaw occurs during the processing of RoCEv2 Queue Pair (QP) connections in response to network interface notifications, creating a scenario where sleeping functions are invoked from contexts where such operations are strictly prohibited.
The technical root cause involves the inappropriate acquisition of the qos_mutex within the irdma_cm_teardown_connections function during network device event handling. This mutex acquisition occurs in a context where the kernel's sleeping function mechanism is not permitted, violating fundamental kernel design principles. The call trace demonstrates the execution path leading to the failure, showing that mutex_lock is invoked from irdma_cm_teardown_connections, which is subsequently called from irdma_if_notify and ultimately from irdma_inet6addr_event. This creates a direct violation of the kernel's locking subsystem constraints that prevent blocking operations in atomic contexts.
The operational impact of this vulnerability manifests as a complete system crash or kernel panic when network interface events occur, particularly during link state changes or IP address modifications. Systems utilizing RDMA hardware with RoCEv2 capabilities become unstable and may experience complete service disruption, as the kernel cannot properly handle network device notifications without triggering the BUG condition. This affects enterprise networks, data centers, and high-performance computing environments where RDMA acceleration is critical for low-latency communications.
The fix implemented addresses this by removing the RoCEv2-specific handling within irdma_cm_teardown_connections that was relying on the problematic mutex acquisition. This removal is justified because the mutex handling was only necessary for iWARP implementations to manage connection states during link down events or IP address removals. The solution aligns with the principle that different RDMA transport protocols (RoCEv2 vs iWARP) require distinct handling mechanisms, and the specific mutex-based approach was inappropriate for RoCEv2 operations. This remediation follows established security practices for kernel-level synchronization and prevents the invalid context usage that leads to system instability.
From a cybersecurity perspective, this vulnerability demonstrates the importance of proper kernel locking mechanisms and context awareness in system-level programming. The issue relates to CWE-367, which addresses Time-of-Check to Time-of-Use (TOCTOU) flaws, and represents a violation of the kernel's atomic context requirements. The ATT&CK framework categorizes this under privilege escalation and system compromise techniques, as successful exploitation results in complete system instability and potential denial of service. Organizations should prioritize patching this vulnerability to maintain system reliability and prevent unauthorized disruption of critical network services that depend on RDMA acceleration. The fix ensures that network device event handling remains stable while preserving the core functionality required for proper connection management in RDMA environments.